sandbox

module
v1.0.5 Latest Latest Go to latest Published: Nov 14, 2024 License: MIT
Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices
Repository

github.com/rhpds/sandbox
Links

Open Source Insights
README ¶

= Sandbox =
:toc:

This repository is a consolidated codebase for everything related to sandboxes for the Red Hat Demo Platform. It contains:

* sandbox-api: The Backend API for all things sandbox.
* sandbox-issue-jwt: CLI to generate a new signed JWT login token
* sandbox-list:  Interact with the AWS Sandbox DB in a read-only way.
* sandbox-metrics: Prometheus Endpoint exposing metrics.
* sandbox-replicate: AWS Lambda function to replicate changes from DynamoDB to a Postgres database.
* sandbox-rotate-vault: Program to reencrypt the IAM keys using a new secret key (ansible-vault, AES256)

== Build ==

.Build all binaries

You will need to have 'go' setup on your machine. Please use version 1.22 onwards
----
make
----

.Build separately
----
make sandbox-api
make sandbox-list
make sandbox-metrics
make sandbox-replicate
make sandbox-issue-jwt
make sandbox-rotate-vault
----

== sandbox-api ==

=== Installation ===

Create a secret file and run helm.

.secrets.yaml
----
sandbox_api_secrets:
  database:
    url: postgres://...
    dynamodb_aws_access_key_id: ...
    dynamodb_aws_secret_access_key: ...
  # Secret to generate and validate JWT tokens
  auth:
    jwt_auth_secret: ...
  # ansible-vault (AES256) key to encrypt the secret in the DB
  vault:
    vault_secret: ...
  # AWS usser that can assume role into the accounts
  aws:
    assume_aws_access_key_id: ...
    assume_aws_secret_access_key: ...
----

.Install chart
----
helm install  -f secrets.yaml sandbox-api deploy/helm-api/
----

.Upgrade chart
----
helm upgrade  -f secrets.yaml sandbox-api deploy/helm-api/
----

To initialize or update the postgresql schema, use the following:

.Run the DB migration
----
oc run admin-$$  \
--image=quay.io/rhpds/sandbox-admin:latest -i -t \
--restart=Never --rm -- /bin/bash <1>

DATABASE_URL=postgres://postgres:PASSWORD@RDS_ADDRESS.us-west-2.rds.amazonaws.com:5432/sandbox_api_dev?sslmode=require

# git clone https://github.com/rhpds/sandbox.git
# cd sandbox
# migrate github://rhpds/sandbox/db/migrations#VERSION -database $DATABASE_URL up

# For example
migrate \
  -source github://rhpds/sandbox/db/migrations#main \
  -database $DATABASE_URL up
----
<1> Use the rhpds/sandbox-admin image which contains all the necessary binaries and tools.


.Bootstrap an admin login token
----
oc run admin-$$ --image=quay.io/rhpds/sandbox-admin:latest -i -t --restart=Never --rm -- /bin/bash

export DATABASE_URL=postgres://postgres:PASSWORD@RDS_ADDRESS.us-west-2.rds.amazonaws.com:5432/sandbox_api_dev?sslmode=require

./sandbox-issue-jwt
[root@admin sandbox]# ./sandbox-issue-jwt
JWT Auth secret: Enter Claims in the JSON format:
for example: {"kind": "login", "name": "gucore", "role": "admin"}
{"kind": "login", "name": "gucore", "role": "admin"}
token:
[TOKEN HERE]
----

.Create an access token
----
oc run admin-$$ --image=quay.io/rhpds/sandbox-admin:latest -i -t --restart=Never --rm -- /bin/bash

logintoken=[TOKEN]

curl -H "Authorization: Bearer ${logintoken}" sandbox-api:8080/api/v1/login

[ACCESS TOKEN]

token=[ACCESS TOKEN]
# check access
curl -H "Authorization: Bearer ${token}" sandbox-api:8080/api/v1/health
----

=== Setup local development environment ===

All filed used for the local development environment are prefixed by `.dev` and are ignored by Git, see link:.gitignore[`.gitignore`]

[source,shell]
----
make run-local-pg  # run postgresql locally in a Container
make migrate  # Run the DB migrations to setup the db schema
# Set the following secrets, notice the heading space ' ' to avoid shell history
# IAM secrets to access AWS sandboxes
 export ASSUMEROLE_AWS_SECRET_ACCESS_KEY=...
 export ASSUMEROLE_AWS_ACCESS_KEY_ID=...
# IAM secrets to access dynamodb table that contains info of the AWS sandboxes
 export AWS_ACCESS_KEY_ID=...
 export AWS_SECRET_ACCESS_KEY=...
# AES key to encrypt sensible data in the different databases
# If you're using the dynamoDB dev database for AWS sandboxes (which you probably are)
# Then this needs to match the one in use on the DEV environment
 export VAULT_SECRET=...

make tokens # issue some JWT token for access
make run-api # <1>
air # <2>

----
<1> When iterating, you will be stopping and relaunching this step
<2> You can use link:https://github.com/cosmtrek/air[cosmtrek/air] instead. That will watch local files and rebuild + launch the API automatically if any changes are made.


== sandbox-replicate ==

The role of the lambda function is to replicate any changes made to the dynamoDB table into a postgresql database.


=== Push lambda ===

----
export AWS_PROFILE=infra-dev
make push-lambda
----

That will:

. Create a role, a policy and a lambda function
. Attach the policy to the role and the role to the lambda function
. Push the updated 'build/sandbox-replicate' binary to the lambda function


== sandbox-metrics ==

=== Deploy Metrics Prometheus ===

. clone this repository
+
----
git clone --depth 1 https://github.com/rhpds/sandbox sandbox
----
. If it doesn't exist yet, create an IAM user in AWS to read-only access to dynamoDB
. Create the secret file containing the key for the IAM user that has read-only access to DynamoDB
+
[source,yaml]
.`aws_sandbox_readonly.yaml`
----
aws_sandbox_metrics_secrets:
  readonly:
    aws_access_key_id: ...
    aws_secret_access_key: ...
----
. Install the helm chart
+
----
helm install  sandbox-metrics sandbox/deploy/helm-metrics/ -f aws_sandbox_readonly.yaml
----
+
Output should look like:
+
----
NAME: sandbox-metrics
LAST DEPLOYED: Thu Jun 17 09:30:04 2021
NAMESPACE: user-gucore-redhat-com
STATUS: deployed
REVISION: 1
TEST SUITE: None
----

== Create AWS sandboxes ==

Use link:playbooks[ansible playbooks].

== Conan - Sandbox Cleanup Daemon ==

See link:conan[conan].


== Add a new OCP shared cluster for OcpSandbox

In order for the sandbox API to be able to talk to the OCP shared cluster, you need to create a new OcpSharedClusterConfiguration.

That configuration holds the information needed to authenticate to the cluster and the additional variables that will be passed to the deployer when a sandbox is scheduled on that cluster.

There is 2 ways to authenticate to the cluster:
. Using a service Bearer Token
. Using a kubeconfig file

Here we'll be describing the first method.

On the cluster, create an admin service account

----
oc create serviceaccount sandbox-api-admin -n kube-system
oc create clusterrolebinding sandbox-api-admin -n kube-system --clusterrole=cluster-admin --serviceaccount=kube-system:sandbox-api-admin
oc create token sandbox-api-admin -n kube-system --duration=4294967296s
----


Then create a JSON file describing the OcpSharedClusterConfiguration. For example:


[source,text]
.`clustername.json`
----
{
    "name": "clustername", <1>
    "api_url": "https://api...:6443", <2>
    "ingress_domain": "apps...",
    "additional_vars": {
        ... <3>
    },
    "annotations":
    {
        "virt":"no",
        "cloud":"aws",
        "purpose":"dev"
    }, <4>
    "token":"..."  <5>
}
----
<1> The name of the cluster as it will be saved in the database
<2> The API URL of the cluster
<3> Additional variables that will be passed to the deployer if that cluster is elected when scheduling a sandbox
<4> Annotations are used to filter the clusters when ordering. For example, if you want to deploy a sandbox on a cluster that is not in production, you can use the purpose annotation to filter out the production clusters. That is done in agnosticV using the `__meta__.sandboxes[].cloud_selector` key
<5> The token is the token created in the previous step. It is used to authenticate the Sandbox API to the cluster.

Then use hurl and `./tools/ocp_shared_cluster_configuration_create.hurl`

----
hurl --variable login_token_admin=$admintoken \
--file-root . \
--variable host=SANDBOX_API_ADRESS \  <1>
--variable ocp_cluster_def=clustername.json \
./tools/ocp_shared_cluster_configuration_create.hurl


# or with curl directly
accesstoken=$(curl -s --header "Authorization: Bearer $admintoken"     --header 'Content-Type: application/json'     'https://SANDBOX_API_ADDRESS/api/v1/login'|jq -r .access_token)

curl --header "Authorization: Bearer $accesstoken" \
  --header 'Content-Type: application/json' \
  --data-binary '@./clustername.json' \
  'https://SANDBOX_API_ADDRESS/api/v1/ocp-shared-cluster-configurations'
----
<1> Replace SANDBOX_API_ADDRESS with the address of the Sandbox API
Directories ¶

Path	Synopsis
cmd
sandbox-api
sandbox-issue-jwt
sandbox-list
sandbox-metrics
sandbox-replicate
sandbox-rotate-vault
internal
api/v1
config
dynamodb
log
models
?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL